How to set up Google's two-step verification

To better protect your digital life, specifically your Google account, turn on two-factor authentication for your Gmail account. With a few minutes of setup time, your account will be much more secure -- with very little hassle.

Make your Google account more secure

Learn how to add a second layer of password protection to your Google and
Gmail account using two-step verification.

by Donald Bell

2:39

Close

Drag

I started using Google's two-step verification in 2012 after reading Mat Honan's tale of woe in Wired, in which his Amazon, Apple, Gmail and Twitter accounts were hacked and his digital life was eradicated.

Long story short, hackers strung together pieces of information to gain access to several important online accounts. The results were personally devastating for him. But his story is a good lesson for all of us. After learning the details of the attack -- from one of the hackers himself, no less -- Honan says he regrets three things most of all.

1. Turning on Find my Mac, which let the hackers erase his MacBook.

2. Not creating regular, local backups of his MacBook, including his photo library.

3. Not using Google's two-step verification, which would have prevented the hackers from getting into his Gmail account and perhaps his Twitter account, the true target of the attack.

That last item is a good reminder for anyone who uses Google for email and its ever-growing suite of apps. Two-step verification (also called two-factor authentication) adds another layer of security to your account. With it turned on, you (or a would-be hacker) would need to take two steps to log in to your Gmail account. In addition to your regular password, you'll need a six-digit code that gets sent to your phone immediately whenever you try to log in. This means a hacker can't break into your account even if they've cracked your password. They'd also need physical possession of your phone.

If that seems overly cumbersome, don't worry. You don't actually have to wait for that texted code every time you log in. In this post, we will cover how to set up two-step verification for your Google account in just a few minutes -- and how to do it without adding extra steps to your everyday routine.

Enable two-step verification

To get started, go to Google's two-step verification page, click the Get Started button and log into your Gmail account. Next, follow a simple four-step process to enable two-step verification.

Photo by Screenshot by Matt Elliott/CNET

Step 1: Confirm that the phone number listed is the cell phone on which you'd like to receive verification codes. Select to receive your codes via text or voice and then click Sendcode.

Photo by Screenshot by Matt Elliott/CNET

Step 2: Enter the six-digit code you received on your phone and click Verify.

Photo by Screenshot by Matt Elliott/CNET

Step 3: Here you are asked whether you are using a trusted computer. If you are on a computer you use frequently and that you feel is secure, such as a home desktop or a computer only you use at work, you can tell Google to trust it and you won't be asked for the two-step verification code when you log in to your Google account from that machine. From any untrusted computers, you (or anyone trying to get into your account) will be required to enter both the password and a two-step verification code whenever you attempt to log in to your account. Decide whether to check the box to Trust this computer and then click Next.

After enabling two-step verification, Google will send you a confirmation email that contains three additional suggested steps. They are:

1. Set application-specific passwords

If you have apps that use your Google account, you will need to create application-specific passwords for them. Common apps that require this step are smartphones, mail clients that use IMAP/POP (such as Outlook Express, Thunderbird or Apple Mail), and chat clients.

In the confirmation email, click the Get started now link to set up application-specific passwords. On the App passwords page, choose an app and a device from the pull-down menus and click Generate. (You can also create custom names if your app and device aren't listed among the choices.) You will get a 16-digit code that you will then need to enter for that app.

Photo by Screenshot by Matt Elliott/CNET

Thankfully, you need to do this only once per app or device. You can revoke the app's access to your Gmail account at any time from this same page. If a phone or tablet that has access to your Gmail account is ever lost or stolen, remember to log in to Gmail immediately in a Web browser and revoke access from that device.

2. Set up a backup phone

You can build in some redundancy for your two-step verification code by adding a second phone number as a backup. You can use the phone number of a trusted family member or friend, and Google can send a code to that person if you ever need to log in and your phone is misplaced, broken, lost, or stolen. To do so, head to your 2-Step Verification settings page and sign in. Next, click on Add a phone number in the Backup phones section.

3. Get backup codes

Also on the 2-Step Verification settings page, you can also print a list of backup codes, which you can use to log into your Google account if you don't have access to your primary or backup phones--such as when you're traveling -- you can sign in with a backup code. Click the Generate/Show backup codes link for a list of printable codes, which you can then keep in your wallet or as a text file on your computer.

Lastly, you can also use a mobile app to receive codes. The Google Authenticator app is available for iPhone, Android and BlackBerry platforms and is useful for when you don't have cell service or want to avoid running up the text messaging portion of your cell phone bill.

There is no question that two-step verification adds a bit of hassle to your digital comings and goings, but it's a slight inconvenience worth the trouble, we think you'd agree, when the alternative can be something as devastating as getting hacked to the extent that Wired's Mat Honan did.